Do Biometrics Really Keep Us Safe?

Data privacy risks evolve with technology.

In January 2019, news broke of yet another massive data breach. Described as one of the largest public data breaches to date, the data collection dumped on the web included more than 773 million email addresses and over 21 million passwords, probably stolen and stockpiled over more than 10 years. Breaches like this are the reason that retail, financial, and other organizations are turning from passwords to biometrics—the measurement and verification of unique physical characteristics—to control access to accounts, devices, and physical facilities. But, as we reported in a recent blog, there are potential issues with biometrics, the first and most fundamental of which is whether they are effective in protecting our identities and security.​

Today, biometric identification methods are not 100 percent accurate. For example, Information Week recently reported that because the fingerprint scanning area on smartphones is small and only identifies a partial print, researchers were able to fool 65 percent of devices with only five “master fingerprint” designs. And researchers at MIT recently found that Amazon’s facial recognition system was very accurate in identifying light-skinned men, but only about 70% accurate in identifying dark-skinned women. This suggests that until biometric identification technology improves, some people’s biometric identities might be easier to fake than others. And how would you feel about being arrested by the police or prevented from getting on a flight because you were misidentified by a biometric system? ​

Another issue is that criminals have found ways around biometrics. First, as we just mentioned, they can be fooled, for example, with photographs of faces, recordings of voices, or a fingerprint lifted from an object you’ve touched (using something as simple as a Gummi Bear!) Second, biometric authentication works by comparing the data that you provide against stored data. (That’s why you have to set up Touch ID on your phone by having the device scan your fingerprint.) But, like any other data, stored biometric information could be stolen in a data breach. And unlike a password, you can’t change your face, voice, or fingerprint, so a criminal can use stolen biometric data indefinitely. Finally, criminals are now finding ways to fool people into supplying their biometric identification, for example, to an app. Then they use that information to steal money through bogus fees or in-app purchases the consumer didn’t want.​

Biometric identification is the wave of the future, whether we like it or not. Today, most of us have a choice of whether to use biometrics on our devices and accounts. If you’re not comfortable with Touch ID, for example, many accounts let you opt to have a security code sent to your phone or email for authentication instead. But the accuracy of biometric systems is constantly improving, and for simple transactions, biometrics do keep us safer than passwords alone. However, there are important privacy questions that need to be addressed before biometrics become a requirement of everyday life, some of which are already being experienced in other countries.